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Claims 

What is claimed is: 

1 . A method of generating a representation of an access control list, the representation being 
utilizable in a processor, the method comprising the steps of: 

5 determining a plurality of rules of the access control list, each of at least a subset of 

the rules having a plurality of fields and a corresponding action; and 

processing the rules to generate a multi-level tree representation of the access control 
list, each of one or more of the levels of the tree representation being associated with a corresponding 
one of the fields; 

10 wherein at least one level of the tree representation comprises a plurality of nodes, 

with two or more of the nodes of that level having a common subtree, the tree representation 
including only a single copy of that subtree; 

the tree representation being characterizable as a directed graph in which each of the 
two nodes having the common subtree points to the single copy of the common subtree. 

15 

2. The method of claim 1 wherein the common subtree is implemented at least in part as a 
matching table. 

3. The method of claim 1 wherein the plurality of fields comprises at least first and second 
20 fields, the first field comprising a source address field and the second field comprising a destination 

address field. 

4. The method of claim 1 wherein a final level of the tree representation comprises a 
plurality of leaf nodes, each associated with one of the actions of the plurality of rules. 

25 

5. The method of claim 1 wherein the at least one level of the tree representation comprises 
a root level of the tree representation. 
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6. The method of claim 5 wherein a second level of the tree representation includes a 
plurality of nodes, each being associated with a subtree of a given one of the plurality of nodes of 
the root level of the tree representation. 

5 7. The method of claim 1 wherein for each level of the tree representation that corresponds 

to a field of a rule of the access control list, a master list of nodes is maintained, each node 
comprising at least one of information characterizing one or more field values associated with that 
node, one or more subtree pointers for that node, and a reference count indicating how many ancestor 
nodes are pointing to that node. 

10 

8. The method of claim 7 wherein the tree representation is generated by sequentially 
processing the rules of the access control list, the processing for a given rule comprising applying 
values of fields of the given rule to one or more existing nodes of the tree representation, and 
wherein when a particular value of a field of the given rule is applied to a given node, a copy is made 

1 5 of the node, the field value is applied to the copied node, and the resultant updated node is added to 
the master list of the corresponding level. 

9. The method of claim 8 wherein the updated node is compared with other nodes of the 
master list and if a duplicate node is found, the copied node is deleted and a pointer to the duplicate 

20 node is provided to an ancestor node that points to the given node, a subtree pointer of the ancestor 
node is updated to the duplicate node pointer, a reference count of the duplicate node now pointed 
to by the ancestor node is incremented and a reference count of the given node previously pointed 
to by the ancestor node is decremented. 

25 10. The method of claim 9 wherein if a duplicate node is found in the master list, that 

duplicate node is moved to an initial position in the master list. 
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11. The method of claim 7 wherein for each node in the master list, a copy pointer is 
maintained, and wherein when a copied node is compared to the master list and a duplicate node is 
found, the copied node is added as a copy to the master list for use in conjunction with the processing 
of a subsequent rule. 

5 

12. The method of claim 7 wherein for each node in the master list, a signature is maintained 
in order to facilitate node comparisons, a full comparison of node subtrees being performed only if 
a match is obtained between node signatures. 

10 13. The method of claim 12 wherein the signature for a given node is generated as a function 

of at least one of a field value and a subtree pointer. 

14. The method of claim 1 wherein the corresponding actions include at least an accept 
action and a deny action. 

15 

15. The method of claim 1 further including the step of storing at least a portion of the tree 
representation in memory circuitry accessible to the processor. 

16. The method of claim 1 further including the step of utilizing the stored tree 
20 representation to perform an access control list based function in the processor. 

1 7. The method of claim 1 6 wherein the access control list based function comprises packet 
filtering. 

25 1 8. An apparatus configured for performing one or more processing operations utilizing a 

representation of an access control list, the access control list comprising a plurality of rules, each 
of at least a subset of the rules having a plurality of fields and a corresponding action, the apparatus 
comprising: 

20 
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a processor having memory circuitry associated therewith; 
the memory circuitry being configured for storing at least a portion of a multi-level 
tree representation of the access control list, each of one or more of the levels of the tree 
representation being associated with a corresponding one of the fields; 
5 the processor being operative to utilize the stored tree representation to perform an 

access control list based function; 

wherein at least one level of the tree representation comprises a plurality of nodes, 
with two or more of the nodes having a common subtree, the tree representation including only a 
single copy of that subtree; 
1 0 the tree representation being characterizable as a directed graph in which each of the 

two nodes having the common subtree points to the single copy of the common subtree. 

19. The apparatus of claim 18 wherein the memory circuitry comprises at least one of 
internal memory and external memory of the processor. 

20. An article of manufacture comprising a machine-readable storage medium having 
program code stored thereon, the program code generating a representation of an access control list, 
the representation being utilizable in a processor, wherein the program code when executed 
implements the steps of: 

determining a plurality of rules of the access control list, each of at least a subset of 
the rules having a plurality of fields and a corresponding action; and 

processing the rules to generate a multi-level tree representation of the access control 
list, each of one or more of the levels of the tree representation being associated with a corresponding 
one of the fields; 

wherein at least one level of the tree representation comprises a plurality of nodes, 
with two or more of the nodes of that level having a common subtree, the tree representation 
including only a single copy of that subtree; 
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the tree representation being characterizable as a directed graph in which each of the 
two nodes having the common subtree points to the single copy of the common subtree. 
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